Do You Know Whats On Your Network?
Do You Know Whats On Your Network? enable manages development of the free and widely-used Nessus vulnerability scanning software. It registered around one million downloads in 2006.Gula, who writes about Nessus and security issues on Tenable’s blog, believes independent auditing is the next major market to be cracked by vulnerability scanning.“Vulnerability scanning lets you do discovery,” he said. “Many people don’t have a good idea about what they have in their network, what computers they have or where their routers and servers are, and scanning can give them that knowledge.”It also allows organizations to do change detection, he said, they can know for certain that a system was patched, or if they have a new system that never has been patched.Two Ways to ScanThere are two models for vulnerability scanning. You can just get the raw information from the scanner and work with that to identify which nodes in the network are not compliant and that’s fine, he said.For some organizations, such as those that have large and undisciplined networks without good configuration maps, scanning like that may be all they have to identify problems.Then there are those organizations who do have managed networks, and where patching is done regularly according to a set network policy. But that can set up false expectations, with the assumption that everything is under control because it is managed.There is a good chance there is something in that managed network that either isn’t being managed properly or that can’t be managed, Gula said, and scanning can catch those devices that are non-compliant.“We’ve shown people who have no vulnerability management programs how using this approach with a managed network will lead to fewer vulnerabilities,” he said.Scanning is Not EnoughThe role of companies like Tenable is no longer just to provide vulnerability scanners, Gula said. Operating scanners is a relatively easy skill to pick up, and as the Nessus downloads show, there are lots of people now using vulnerability scanning in some form. The trick is knowing the nuances.So many third party applications have been put into computers, many without an administrator’s knowledge. It’s tough for anyone to know all of their characteristics and how they will show up on scans.It’s also a mistake to think scanning alone will find all problems.“I’m a big advocate of configuration management and patching, but I would never tell someone to hook all of that to our vulnerability scanner,” Gula said. “It all depends on how the scan is done.”That’s where the opportunity lies, he said. A small organization that uses a Nessus scanner could turn up thousands of vulnerabilities, but it would never have the resources to check out and fix all of them.“They don’t know how to put them in context," he said. "To know which vulnerabilities are important and which ones they can safely leave alone."